Hunting queries for creation of a service

%3CLINGO-SUB%20id%3D%22lingo-sub-1613536%22%20slang%3D%22en-US%22%3EHunting%20queries%20for%20creation%20of%20a%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1613536%22%20slang%3D%22en-US%22%3E%3CP%3EI'd%20like%20to%20create%20a%20query%20to%20review%20creation%20of%20new%20services%20so%20as%20to%20find%20unique%20ones%20in%20my%20environment%2C%20but%20I'm%20not%20finding%20a%20way%20to%20do%20it.%26nbsp%3B%20Ideally%20I'd%20also%20like%20to%20automatically%20provide%20some%20analysis%20on%20any%20binaries%20launched%20by%20those%20services%20(e.g.%20prevalence%20information%20in%20the%20wild%20and%20VT%20score)%20-%20could%20someone%20point%20me%20in%20the%20right%20direction%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1642405%22%20slang%3D%22en-US%22%3ERe%3A%20Hunting%20queries%20for%20creation%20of%20a%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1642405%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F735057%22%20target%3D%22_blank%22%3E%40AnalystGuy%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20should%20get%20you%20started%3C%2FP%3E%0A%3CP%3EDeviceEvents%3CBR%20%2F%3E%7C%20where%20ActionType%20%3D%3D%20'ServiceInstalled'%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20I%20find%20the%20time%20%2C%20I'll%20look%20into%20the%202nd%20topic%20you%20mentioned.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I'd like to create a query to review creation of new services so as to find unique ones in my environment, but I'm not finding a way to do it.  Ideally I'd also like to automatically provide some analysis on any binaries launched by those services (e.g. prevalence information in the wild and VT score) - could someone point me in the right direction?

 

 

1 Reply

@AnalystGuy 

This should get you started

DeviceEvents
| where ActionType == 'ServiceInstalled'

 

If I find the time , I'll look into the 2nd topic you mentioned.